Denial of webserving attack prevention! - Unix

This is a discussion on Denial of webserving attack prevention! - Unix ; If someone is running, say, ab on my computer to prevent Apache from
serving other requests, how do I block them? ie. it has to cut off that
computer if too many requests are received in too short a span ...

Denial of webserving attack prevention!

If someone is running, say, ab on my computer to prevent Apache from
serving other requests, how do I block them? ie. it has to cut off that
computer if too many requests are received in too short a span of time.

How?

Thanks,

Re: Denial of webserving attack prevention!

On Mon, 02 May 2005 14:57:18 -0700, themf wrote:
> If someone is running, say, ab on my computer to prevent Apache from
> serving other requests, how do I block them? ie. it has to cut off that
> computer if too many requests are received in too short a span of time.
>
> How?

Many firewalls have the option to limit the number of concurrent
connections from an IP or a netblock. For Linux, have a look at connlimit.

M4
--
Redundancy is a great way to introduce more single points of failure.

Re: Denial of webserving attack prevention!

>
> Many firewalls have the option to limit the number of concurrent
> connections from an IP or a netblock. For Linux, have a look at
connlimit.

Any way to get Apache to do it directly?

Re: Denial of webserving attack prevention!

On 2005-05-02, themf@graffiti.net wrote:
> If someone is running, say, ab on my computer to prevent Apache from
> serving other requests, how do I block them? ie. it has to cut off that
> computer if too many requests are received in too short a span of time.
>
> How?
>

If they are running "ab" on your computer you might want to seriously
think about removing that user from your computer. If they are doing
malicious stuff they are obviously someone that you dont want around.

--

( When in doubt, use brute force. -- Ken Thompson 1998 )

Re: Denial of webserving attack prevention!

>
> If they are running "ab" on your computer you might want to seriously
> think about removing that user from your computer. If they are doing
> malicious stuff they are obviously someone that you dont want around.
>

Er - the guy running ab is on ANOTHER computer, not mine!

Re: Denial of webserving attack prevention!

On Tue, 03 May 2005 18:37:34 -0700, themf wrote:
>>
>> Many firewalls have the option to limit the number of concurrent
>> connections from an IP or a netblock. For Linux, have a look at
> connlimit.
>
> Any way to get Apache to do it directly?

Not afaik, maybe the situation changed but when I looked into it several
years ago, there was no apache only solution. But you might want to browse
the modules list at www.apache.org to see if there is anything suitable
nowadays. (And let us know if you find something).

M4
--
Redundancy is a great way to introduce more single points of failure.

Re: Denial of webserving attack prevention!

On Sat, 07 May 2005 17:14:41 +0200, Martijn Lievaart wrote:
> On Tue, 03 May 2005 18:37:34 -0700, themf wrote:
>
>>>
>>> Many firewalls have the option to limit the number of concurrent
>>> connections from an IP or a netblock. For Linux, have a look at
>> connlimit.
>>
>> Any way to get Apache to do it directly?
>
> Not afaik, maybe the situation changed but when I looked into it several
> years ago, there was no apache only solution. But you might want to browse
> the modules list at www.apache.org to see if there is anything suitable
> nowadays. (And let us know if you find something).

Pretty sure you can change what content is sent to which client
by IP address, and am I imagining a mod_throttle or did I read about
it once? Thought it was for this.

There's an apache webserver newsgroup, this question might be in
their FAQ. Apache.org's docs are also excellent with a good search
engine. The words "deny" or "throttle" might be helpful for the search.

Dave Hinz

Re: Denial of webserving attack prevention!

Le Thu, 05 May 2005 06:40:12 -0700, themf a écrit*:
>
>>
>> If they are running "ab" on your computer you might want to seriously
>
>> think about removing that user from your computer. If they are doing
>> malicious stuff they are obviously someone that you dont want around.
>>
>
> Er - the guy running ab is on ANOTHER computer, not mine!

That's understood :-)

And that's another reason to act at the kernel/firewall level instead of
at the server/userspace level where it can be pretty too late.

Which don't stop you of setting further user rules at the apache level,
but I think it's better to stop the possible deep attacks as soon as can
be; i-e use the advice given by Martijn :-)